mirror of
https://opendev.org/openstack/ironic.git
synced 2026-01-16 23:01:47 +00:00
98c25db51d
Before this change, Ironic did not filter file:// paths when used as an image source except to ensure they were a file (and not, e.g. a character device). This is problematic from a security perspective because you could end up with config files from well-known paths being written to disk on a node. The allowlist default list is huge, but it includes all known usages of file:// URLs across Bifrost, Ironic, Metal3, and OpenShift in both CI and default configuration. For the backportable version of this patch for stable branches, we have omitted the unconditional block of system paths in order to permit operators using those branches to fully disable the new security functionality. Generated-by: Jetbrains Junie Closes-bug: 2107847 Change-Id: I2fa995439ee500f9dd82ec8ccfa1a25ee8e1179c |
||
|---|---|---|
| .. | ||
| api | ||
| cmd | ||
| common | ||
| conductor | ||
| conf | ||
| db | ||
| dhcp | ||
| drivers | ||
| hacking | ||
| objects | ||
| tests | ||
| __init__.py | ||
| version.py | ||